security: add allowed_classes => false to SequenceGenerator::unserialize()#12492
Open
XananasX7 wants to merge 1 commit into
Open
security: add allowed_classes => false to SequenceGenerator::unserialize()#12492XananasX7 wants to merge 1 commit into
XananasX7 wants to merge 1 commit into
Conversation
…ize() The deprecated Serializable::unserialize() method calls unserialize($serialized) without an allowed_classes restriction. The serialized data is always a plain associative array of two scalar values (sequenceName: string, allocationSize: int) produced by __serialize(); no object classes are expected. Adding allowed_classes => false prevents PHP Object Injection if a crafted serialized payload is supplied to the deprecated unserialize() method, which could trigger a gadget chain during deserialization.
Member
|
Its virtually impossible that this happens in real applications as it would require user supplied entity mappings, but we can merge this regardless to avoid machines that are not able to make this conclusion from reporting this again. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The deprecated
Serializable::unserialize()method inSequenceGeneratorcallsunserialize($serialized)without anallowed_classesrestriction.The serialized payload is always the output of
__serialize(), which returns only two scalar values:No object classes are expected. Without
allowed_classes => false, a crafted serialized string supplied to the deprecated method could instantiate arbitrary autoloaded classes during deserialization (PHP Object Injection), potentially triggering a gadget chain.Fix
This is safe because
__unserialize()only reads$data['sequenceName'](string) and$data['allocationSize'](int).Notes
Serializableinterface and its methods are already deprecated; this is a defense-in-depth fix to harden the remaining code path until it is removed in ORM 4.__serialize()/__unserialize()magic methods are not affected.